Saved from hackers variables in php script

Printable View

02-11-2010, 04:05 PM
auriaks

Saved from hackers variables in php script

Hi,
if I have variable from form:

PHP Code:

$name = $_POST['name'];

I want to insert its value to mysql, but there can be php code which hacks my all script...

Will it be safe if I will do that?

PHP Code:

$name = mysql_real_escape_string($name);

What I knew before, tjis line helped to keep safe the value from other script, or I'm wrong?
02-11-2010, 04:09 PM
Schmoopy

Using the above will stop anyone from doing an SQL injection on your database. Google "SQL injection" for more information on it.

It won't stop all hackers, but it will stop people from being able to alter information in your database, at least in that query.

It's good practice to do what you've done with any variables that are input by the user.
02-11-2010, 04:10 PM
djr33

Hackers must have a way to attack your script. There is no magical way that hackers work: they just find a weakness.
That line, as Schmoopy says, will stop hackers from using your MySQL queries against you. There might be other unrelated ways they can attack your script, but for MySQL that should be enough.
02-11-2010, 05:27 PM
auriaks

I was atacked from my uploading system :D I didn't secured the files which users uploaded, so one of them uploaded gooog.php - that file showed all my script.

I solved that problem by putting secure of .php extensions... Maybe is there other files I should be aware of??
02-11-2010, 06:40 PM
bluewalrus

From every sort of possible attack?

Could try looking at these examples http://ha.ckers.org/xss.html
02-11-2010, 06:54 PM
auriaks

xss :D might be better if I would know something about it :D
02-11-2010, 07:02 PM
Schmoopy

It's just not possible to make a site non-hackable, because there will always be some way of getting in. All you can really do is minimise the risk of that happening.

Generally you just want to make sure your passwords are not easily guessable, or use a word found in the dictionary (by itself).

Read that XSS article if you want, but if you don't understand it very well then you may want to look here instead: http://aachen-method.com/, very informative videos.
02-12-2010, 03:26 AM
djr33

Quote:

It's just not possible to make a site non-hackable, because there will always be some way of getting in.

Technically, it's the opposite. There are no ways in, then every bit of code (etc) that you add to the page becomes a possible way in. Unless as you make the site more complex you also keep the security level for every element high, there will then become ways to get in, but it will also be technically created by adding code to the site.

As for blocking the PHP extension, the way to do this is to only allow files that end in a certain extension. Do NOT disallow ".php", but instead ONLY allow ".jpg", or whatever you may need. It's much better to have a long list of allowed filetypes than to find out that someone uploaded a ".abc" file that then hacked your server. For example, blocking only .php means that they can still upload .asp, among other things.
02-12-2010, 02:03 PM
auriaks

thanks, valuable information :)
02-16-2010, 03:14 PM
auriaks

well, I found and used this script to prevent other types of files:

PHP Code:

$allowedExtensions = array("jpg","jpeg","gif","png"); foreach ($_FILES as $file) { if ($file['tmp_name'] > '') { if (!in_array(end(explode(".", strtolower($file['name']))), $allowedExtensions)) { $error .= "'.<li>Nuotrauka yra neleistino formato.</li>"; } } }

but still... I found out one bad thing. You can't upload image.php extention, but you can upload image.php.png which is allowed. And then user can write ../..link../image.php what will execute his php script from file, as well.

How I can evade this problem?

Just write whats on you mind. Thanks.
02-16-2010, 03:36 PM
Schmoopy

You want to be looking at the actual type of the file, as opposed to its name. You can access this with $_FILES['uploaded_file']['type'], or in your case:

PHP Code:

foreach($_FILES as $file) { if($file['type'] == 'image/jpeg') echo 'allow'; else echo 'no'; }

That shows you the basic concept, but just make an array like before, but this time with different MIME types, a list of which can be found here: http://www.webmaster-toolkit.com/mime-types.shtml

So something like:

PHP Code:

$allowed = array("image/png", "image/jpeg");

Etcetera...

You should be able to go from there with it. See how you get on.
02-16-2010, 04:01 PM
auriaks

Thanks... Good post from you :)

Btw, can you solve my other need?

I want prevent files' size. if ($size > 0.3mb) {not allow} else {allow}
02-16-2010, 04:06 PM
Schmoopy

This should do it. Also note that the max file size is also declared in the php.ini file, and is normally 2MB, so you'll need to edit that file as well if you want to upload files greater than 2MB.

PHP Code:

define("MAX_FILE_SIZE", 314573); // This is the file size in bytes foreach($_FILES as $file) { if($file['size'] > MAX_FILE_SIZE) { echo "The file you're trying to upload is too big"; } else { // Code for uploading file here } }

314573 Bytes = ~0.3MB.

An easy way to convert MB to bytes is to use: http://www.matisse.net/bitcalc/.

Or if you don't like that one, just search for "bits to bytes converter" in Google.
02-16-2010, 04:11 PM
auriaks

php.ini ? why should I do that?
02-16-2010, 04:12 PM
Schmoopy

You only need to change that if you're wanting to upload files greater than 2MB. But from the looks of it, you only want files that are 0.3MB or less, so no need to worry.
02-16-2010, 04:19 PM
auriaks

OK then... thanks :) Brilliant :)
02-16-2010, 06:57 PM
auriaks

Have problem again, I am upoading right format, but script says that wrong...

PHP Code:

define("MAX_FILE_SIZE", 307200); // This is the file size in bytes foreach($_FILES as $file) { if($file['size'] > MAX_FILE_SIZE) { $error .= "<li>Nuotraukos dydis viršija 0.3mb!</li>"; } else { foreach($_FILES as $file) { $allowed = array('image/png', 'image/jpeg', 'image/bmp', 'image/gif', 'image/pjpeg'); if($file['type'] == $allowed) { $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {$fileName = basename($_FILES['uploadedfile']['name']);} } else {$tt = $file['type']; $error .= "<li>Nuotrauka yra neleistino $tt formato. Leistini: .png .jpg .gif .bmp</li>";}} }}
02-16-2010, 07:27 PM
Schmoopy

Atm you're doing:

PHP Code:

if($file['type'] == $allowed)

So you're actually comparing it to the $allowed array as a whole, and not checking whether the file type is actually one of the values in the allowed array. Change your code to:

PHP Code:

define("MAX_FILE_SIZE", 307200); // This is the file size in bytes $allowed = array('image/png', 'image/jpeg', 'image/bmp', 'image/gif', 'image/pjpeg'); foreach($_FILES as $file) { if($file['size'] > MAX_FILE_SIZE) { $error .= "<li>Nuotraukos dydis viršija 0.3mb!</li>"; } else { if(in_array($file['type'], $allowed)) { $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { $fileName = basename($_FILES['uploadedfile']['name']);} } else { $tt = $file['type']; $error .= "<li>Nuotrauka yra neleistino $tt formato. Leistini: .png .jpg .gif .bmp</li>"; } } }

Sorry about the formatting :p
02-16-2010, 07:42 PM
auriaks

Better :) thanks again :D (I schould be sorry for that :))